CVE-2025-30148
published 2025-04-10CVE-2025-30148: Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a…
PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.24%
14.4th percentile
Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitized on the client-side, but server-side sanitization doesn't catch it. The server-side sanitization logic has been updated to sanitize against this attack. This vulnerability is fixed in 5.3.23.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| silverstripe | framework | <= 5.3.23 | — |
| silverstripe | framework | >= 0 < 5.3.23 | 5.3.23 |
| silverstripe | silverstripe-framework | < 5.3.23 | 5.3.23 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Silverstripe Framework has a XSS vulnerability in HTML editor
ghsa·2025-04-10
CVE-2025-30148 [MEDIUM] CWE-79 Silverstripe Framework has a XSS vulnerability in HTML editor
Silverstripe Framework has a XSS vulnerability in HTML editor
### Impact
A bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it.
The server-side sanitisation logic has been updated to sanitise against this attack.
### Reported by
James Nicoll from Fujitsu Cyber
### References
- https://www.silverstripe.org/download/security-releases/cve-2025-30148
OSV
Silverstripe Framework has a XSS vulnerability in HTML editor
osv·2025-04-10
CVE-2025-30148 [MEDIUM] Silverstripe Framework has a XSS vulnerability in HTML editor
Silverstripe Framework has a XSS vulnerability in HTML editor
### Impact
A bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it.
The server-side sanitisation logic has been updated to sanitise against this attack.
### Reported by
James Nicoll from Fujitsu Cyber
### References
- https://www.silverstripe.org/download/security-releases/cve-2025-30148
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-04-10
Published